You can also verify that "Call EDI" is "Call GDI!" here! Createfonta ", so on" Push byte-0a ", Press" F9 "to set the breakpoint, and then press" F5 "again. It is found that the third call to createfont is the same as the first address, the fourth call is the same as the second call. When the first or third call is executed to "Call EDI", the value at the top of the stack is "F4 FF ", it is fffff4h, and when the second and fourth calls are executed to "Call EDI", the value at the top of the stack is "F6 FF", that is, fffffff6h. This is because when createfont is called, it is displayed normally only when the font size value is negative. If it is positive, the result is slightly smaller, therefore, all calls here assign a negative value. fffffff4h is the decimal "-12", while fffffff6h is the decimal "-10", so we can speculate that, the results of the first and third calls are "9, 9", while those of the second and fourth calls are" 8, 8 ". (In details, the second call is to display the Winamp version number in the song name display area, and the fourth call is to display the song name) Now, in order to test, during the second and fourth calls, when "Call EDI" is executed, type "e esp" and modify the parameters in the stack, it turned out to be "F6 FF", changed to "F4 FF", and then continued to run the program. We can see that the song name in Winamp is "9, 9! Then the source file is modified. From the code, you only need to change "Push byte-0a" to "push byte-0C, however, trw2000 left the Assembly command "a" to the registered user, so we need to determine the code to be modified. First, "Byte" is a type identifier, which specifies that "-0a" is a byte length value. Of course, as "push, in a 32-bit system, the four-byte value is always pushed into the stack. However, the CPU is converted here, convert a single-byte "-0a" to a four-Byte "-0a", but this does not matter to us, we only need to know that "-0a" is "F6. OK. Type "code on" to view the byte stream. The value is "6a F6" relative to "push byte-0a, you can change it to "6a F4. Now write down some of its front bytes. Here is "68 90 01 00 00 55 55 6a F6" (remember what "90 01 00 00" is? By the way, it is the character width. If you want to change it to bold, you can modify it here :), and then exit Winamp and trw2000. Use uedit to open winamp.exe and find "68 90 01 00 00 55 55 6a F6". Only one of them is found, so the last "F6" is changed to "F4 ", then run Winamp, which is good, isn't it? :) Last question Although I use the English version here, this method also applies to tianwei male Chinese version because it is a code modification and has nothing to do with resources, however, the brucez Chinese Version cannot be used because it is compressed and cannot be completely decompressed using existing tools, because the fi test is used to compress ASPack, however, unaspack cannot be decompressed normally, so encryption is still performed. I personally prefer the Chinese Language Pack "Chinese. lng". So what is this ". lng" file? It's actually a dynamic link library, and brucez's "Chinese. LNG is also compressed, but unaspack can be used for normal decompression. Of course, this is of no use, because it can be used normally without pressure, and if you want to obtain the resources, no matter what method it uses for compression and encryption, you can use the API function loadlibary to obtain it completely. After all, since Windows can read and display normally, we can do the same! Now, back to Winamp, we can see that although the song name area is indeed displayed as "9, 9", the top line of the font is cut, this is the problem we should solve. I have no energy to solve this problem, but I think, if we only display less words, you can try to track the API function textout (there must be a lot of textout calls). If you want to modify the size of the display area of the song name, I want to track the cut function. What exactly is it? I don't know. :( I would like to say that trw2000 is a debugging tool, rather than (or not just) a cracking tool. Do not always think about how to crack it. think more about how to improve the software. Another method After writing this article and uploading it, I found that the above introduction is actually very tedious, but it is not necessary to use trw2000. So I will add this section to briefly describe this method. This method does not need to press 'f10' until... as I said above ...", You only need to use a "pmodule" command, so it is very convenient. Open trw2000, select winamp.exe, and click "LOAD". The debugging form is displayed. Type "BPX createfont", Press "F5", wait until the debugging form of trw2000 appears again, type "pmodule", return to the code area where Winamp is located, and look up, you can see the following code: |